Penetration testing

Synapse follows a solid process based on an established well known standard in the field of
information security to deliver professional services to enterprises. This process is furnished throughout
the years turning Synapse into a well-known security services provider.
This type of testing involves a comprehensive analysis of publicly available information about the
target, a network enumeration phase where target hosts are identified and analyzed and the behavior of
security devices such as screening routers and firewalls are analyzed. Vulnerabilities within target hosts
should then be identified, verified and the implications assessed. The penetration testing exercise is
about testing if the client is susceptible to external intrusions and measure the degree of susceptibility.
Hence, tests are focused on weaker points. Be it the application, the network or even the personnel is
the weakest link, the tester would take advantage of it to the maximum extent. Combining multiple low
risk vulnerabilities to conduct a focused coherent high damage attack is one of the main strengths of
such type of testing. This simulates real world attack scenarios that are highly technical and motivated.

Our Methodology of Penetration Testing

Steps.

Information Gathering.

Enumeration.

Vulnerability Identification.

False positives and false negatives detection.

Exploiting.

Reporting.

Remediation.

Information Gathering

Synapse's expert security testers uses information gathering techniques which to find all available
information about the target using both technical and social methods. Also, when applicable, a physical
site visit is done to examine the different security aspects of the different sites of the target.

Enumeration

when all possible information about the target has been acquired, a more technical approach is taken to
‘footprint’ the network and resources in question. Network specific information from the previous
section is taken and expanded upon to produce fine tune the information previously acquired. In this
phase a blueprint of the whole system in scope is built and visualized to be able to identify a
vulnerability. This is done by combining all the information gathered from the previous phase by
multiple testers and unify the knowledge of the whole team about the target system.

Vulnerability Identification

During vulnerability identification, Synapse's Security tester will perform several activities to detect
exploitable weak points.
False positives and false negatives detection:
Synapse's takes this section extremely into consideration since most competitors in the market will
send out a report with several false positives in both the technical and the management report in turn
will raise false alarms within the company its self. Synapse Assures that its reports do not have any
false positives nor false negatives.

Exploiting

After gathering information about the target network, Synapse's Security tester highlights the
attacking points and start performing penetration testing activities. The tester will perform the
penetration test from different points on the network and with different privilege and authorization.
On many occasions, Synapse's tester might be able to exploit some weakness in the system and gain
access to a portion of the network. At this point, the whole process is restarted from a different vantage
point using the newly acquired information. The blueprint map is updated to reflect the new discovered
information leveraged from the exploited system.

Reporting

Reporting the findings of the penetration tests is integral to the fulfillment of the previously mentioned
strategic motivations and drive forces behind engaging in such a process. Hence, once the above tasks
are completed, a documentation scheme is followed to report the results across different levels
including technical and management level.

Penetration Testing Remediation Plan:

Synapse will help ensure that all vulnerabilities or problems arose from the penetration test are fixed
and re-tested again to ensure that all problems and vulnerabilities in Customer's infrastructure are gone.